Hackers targeting SWIFT banks also targeted US moneymen: Hedge funds at risk

The Lazarus Group of hackers, blamed for a recent run of attacks against mainly Asian banks linked through the SWIFT network, is now suspected of targeting a mid-market US bank.

Evidence uncovered by threat detection firm eSentire suggests that the Lazarus crew (which is also the chief suspect in the 2014 Sony Pictures hack) is also targeting mid-market financial companies in the US.

An August 2015 attack against an unnamed US bank started months before the hackers lifted the SWIFT authorisation credentials from the central bank of Bangladesh and stole $81m from an account it held at the Central Reserve Bank in New York, among other similar attacks.

Hedge funds and asset managers may also be at risk from attacks launched by the same group of hackers – which separate research by Symantec and BAE Systems has linked to North Korea.

“The entire hedge fund/asset manager world makes extensive use, and by extension, trust of the SWIFT network to arrange and settle wire transfers; indications of SWIFT compromise (with ties to Lazarus) is an indicator in a new attack layer,” eSentire warns.

“The August 2015 breach attempt and its affiliation with the growing list of global bank hacks amplifies the urgency for firms still lacking proactive cybersecurity defences and strategy,” it added. “The SEC’s recent comments indicate renewed interest in pushing reform requiring compliance from broker-dealers and investment advisers. While they may be smaller than other financial counterparts, clearly they’re not immune to the broader net cast against financial institutions.”

Ontario-based eSentire has passed on evidence of malfeasance to the FBI and SEC, it says. A blog post by eSentire providing more detail on its suspicions that the mendacious web of the Lazarus group extends more widely than previously suspected can be found here. ®

Updated at 11:05 UT, 14/06/16

eSentire, which provides cyber threat and detection services to US-based mid-market financial services companies, identified and blocked an attempted attack against one of its clients months before its likely origin emerged. The attack shared a user-agent misspelling with a later attack tied to the Lazarus Group, as eSentire explains.

Just over two weeks ago, our threat intelligence partner notified eSentire that the rule we created (as a result of the blocked attack) had been connected to recent attacks linked to the Lazarus Group. Threat researchers have noted several characteristics common in Lazarus Group activities; in this case the commonality was a user-agent misspelling. The fact that this misspelling has been tied to several other suspected Lazarus Group attacks isn’t surprising; threat actors are more likely to continue using the same code time and again so long as it’s effective (these aren’t new breach cases, they’re newly discovered and/or disclosed breaches that actually occurred several months ago)